Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3579599pxb; Mon, 24 Jan 2022 12:42:14 -0800 (PST) X-Google-Smtp-Source: ABdhPJyimFXxR3L9yI3LsBcKFvTPYbwgzUJKGwyjr5hNQccTRtRySCd85EzTy8Vvi/u7+0v2QObL X-Received: by 2002:a05:6a00:1308:b0:4c5:e231:afd4 with SMTP id j8-20020a056a00130800b004c5e231afd4mr15726849pfu.34.1643056933837; Mon, 24 Jan 2022 12:42:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1643056933; cv=none; d=google.com; s=arc-20160816; b=GLM72NIRKi89xoWplM6wiZuqMxF0vXzLbmixo9Xxi8gAhavOeaMbid2638R2ek75RJ zwiD/AXtw2CExf0XbB8J7NuAsP8IXuNzg0yC1WorPlLPtQ+KimlnN7nV2K3SqNEBmPyF vLqBpXbokN5RQMxCodTdA3CMR3/WhriQZmWJbg/m3E+YldSa3pff9ds8I01vCwTiuWSa gqsk+HtcBwCTzJN73o7yr5sv07kHr7AVYIX41p6Zj4KtzpPEzIoKCmvs4YB7mQwTR80R ig2p1ffbBEE3tj6zYE3QyCk4Q0ul+KwktBuTX9roJ9tswD0+OS/1YicsBu+2WLFh6DE3 i37w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=S5yoGLwgtpVCVU+1JChkZDyPkJ33msxjQsJ/FDPP8Tc=; b=hdaPqtTLjsQy6hbgotPqTiFsMs6wVK9yjCRWL+hG+Yf0ekmQ1AY8GSOB7aqii/0dv9 5kAt1vkUzcExbWqQYzf2uS5kCd3t5SbH0RieEaILTL7JjtWxiODTap7I5bhBthZtRlvO v4uHlnSMNvBuPuGcorurgBNRrZI9yUAHfMQn8vSVRJraqPH3J82zBYMyyGVOqUGdGQrt g72nJAfq/f+IBuzRmH7yJ31+ZI9Nn0fJohHf0z0gPEuXuwZE/oxbMMOvNTUJyMOlZPYr MWn843Sdu2Zsjb3rArNZL+PmpP9Gw2ZjkaqfEgco/IA08AuM7UIgY7RESTP5KAu+CraA Rlnw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ga2rGNlx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 82si4674321pgb.538.2022.01.24.12.42.01; Mon, 24 Jan 2022 12:42:13 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ga2rGNlx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1359412AbiAXT7l (ORCPT + 99 others); Mon, 24 Jan 2022 14:59:41 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54960 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347778AbiAXTnx (ORCPT ); Mon, 24 Jan 2022 14:43:53 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D772AC02C30A; Mon, 24 Jan 2022 11:22:19 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 74ED161491; Mon, 24 Jan 2022 19:22:19 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 481EBC340EF; Mon, 24 Jan 2022 19:22:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1643052138; bh=QAW+5nGZUHNDtS8WUTH89x+IqYTXaclC0CdjyXIXtTg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ga2rGNlxH94QVeRSRtIhhPIwv23HCcPTkQJa04XHbUHhla79z2NO1qR18H2gmp98Z fHVJMOueUCEd5p50DbBf5Al1YTJZDbzyLQa8TRgibvEtxFlx1iQXy1VC5lNUjrs36Q 51SK+MdMC+fCSp88C22BtQ8WXOYugNN7eo1C7JEc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Lucas Stach , Christian Gmeiner Subject: [PATCH 4.19 201/239] drm/etnaviv: limit submit sizes Date: Mon, 24 Jan 2022 19:43:59 +0100 Message-Id: <20220124183949.502885321@linuxfoundation.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220124183943.102762895@linuxfoundation.org> References: <20220124183943.102762895@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Lucas Stach commit 6dfa2fab8ddd46faa771a102672176bee7a065de upstream. Currently we allow rediculous amounts of kernel memory being allocated via the etnaviv GEM_SUBMIT ioctl, which is a pretty easy DoS vector. Put some reasonable limits in to fix this. The commandstream size is limited to 64KB, which was already a soft limit on older kernels after which the kernel only took submits on a best effort base, so there is no userspace that tries to submit commandstreams larger than this. Even if the whole commandstream is a single incrementing address load, the size limit also limits the number of potential relocs and referenced buffers to slightly under 64K, so use the same limit for those arguments. The performance monitoring infrastructure currently supports less than 50 performance counter signals, so limiting them to 128 on a single submit seems like a reasonably future-proof number for now. This number can be bumped if needed without breaking the interface. Cc: stable@vger.kernel.org Reported-by: Dan Carpenter Signed-off-by: Lucas Stach Reviewed-by: Christian Gmeiner Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c +++ b/drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c @@ -444,6 +444,12 @@ int etnaviv_ioctl_gem_submit(struct drm_ return -EINVAL; } + if (args->stream_size > SZ_64K || args->nr_relocs > SZ_64K || + args->nr_bos > SZ_64K || args->nr_pmrs > 128) { + DRM_ERROR("submit arguments out of size limits\n"); + return -EINVAL; + } + /* * Copy the command submission and bo array to kernel space in * one go, and do this outside of any locks.